A board that wants effective risk management oversight should focus on five key areas, says James W. DeLoach, managing director at Protiviti Inc. in Houston.
• Does the company's risk profile reflect its risks? “That's a question every board should be asking,” Mr. DeLoach said.
• Is the company continuously improving its risk management capabilities? “The board should be focused on making sure your lines of defense are strong,” he said. The lines of defense are the primary risk owners, the risk management and the internal audit functions.
• Is the board's risk appetite the same as top executives'? “The question for the board is, "Do we understand the CEO's appetite for risk?' And that's a strategic issue,” he said.
• Is the organization's risk culture encouraging the right behavior? The board needs to be alert for dysfunctional behavior and confident it's providing timely input on critical risks. “What you're really looking for ... is evidence the organization is undertaking appropriate risk,” he said.
• Has the organization integrated risk management with core processes? “Is risk management a stand-alone appendage for the CEO and the C-suite, or is it integrated?”
A series of events starting with the 2008 financial crisis and continuing through recent major data breaches and defective-part recalls are prompting many companies' boards to take a more active role in overseeing risk management, a strategy that can benefit the organization and the risk manager.